Point-of-Sale to Point-of-Fail

my name is Ken Weston I am a senior security analyst with tripwire I'm based out of Portland Oregon one to thank you guys for having me out here this is great been on a bit of a tour I was in Texas actually at a panel talking about skate of security and then I'm heading up to a sect or next to talk about cyber stalking so this is kind of a stop in between I'm going to be talking today about point of sale to point to fail so talking about sort of the the rash of retail breaches that we've seen over the last few years talk about you know how this actually came to be and then also

offer some guidance as to what we can do to actually stop at least these types of breaches so again my name is Ken Weston I I do work at a Portland I work a lot on with customers I look at emerging threats we have a lot of large retail customers I'm actually with a lot of these breaches that were actually occurring we actually have one customer that was using our tools and we actually were able to detect that before those credit cards were exfiltrated and that focus to go look at them and acts you know how did you guys do this with our tools and through that we were able to create additional tools to help mitigate

some of these risks particularly when it comes to the new point-of-sale malware with memory scraping things like that we're dealing with very sophisticated types of tools that we haven't really seen before and a lot of retailers were sort of dumbfounded as to how they actually can can block this type of attack and actually the technologies have existed for a long time to actually block these types of attacks the problem is is very expensive as it requires major hardware refresh a--'s and I'll talk a little bit about that you know previous leaf to tripwire I I developed a number of tools to sort of use malware to recover stolen devices and solve other crimes I've been involved with a

number of cases I probably put several dozen people in prison for stealing devices or child pornography or other things and other investigations I've been part of so I'm very interested particularly and how criminals actually do what they do and that's what I'll kind of walk through here so if we actually look at the evolution of cybercrime it actually follows the evolution of money and if we actually sort of look at how our money has evolved really we shouldn't be surprised that hackers or criminals are targeting point-of-sale systems because that's where the money is you know as we evolved you know the the US dollar became a point of currency became a fiat currency most transactions

most money is now digital in some format be it through credit card transactions we're also seeing cryptocurrency and the the sort of pseudo anonymity that Bitcoin actually provides has actually helped fuel some of the elements of cybercrime which I'll talk about a little bit talk about underground markets hidden services and things like that that are helping to really fuel this and so I got a quick trivia question for you who is this because anyone know all right I'm gonna give you a hint

it's Black Bart also known as Charles Bolton so Black Bart was known for robbing stagecoaches he actually he was on the East Coast he went out to California to join the gold rush he wanted to make his riches when he got there it was very disillusioned with it he had a lot of issues it wasn't able to make a lot of money he'd actually left his family as well to come out and strike it rich and he became very frustrated with wells fargo for whatever reason he also was very well versed in how they actually operated and from that he was actually able to find a way to actually get his gold he actually was a

mountaineer he will he knew how the mountains he knew the terrain and Sookie nua points where he could actually stop these stagecoaches and actually robbed them of the gold why go in mind the gold when you can just steal from these stagecoaches he was sort of an early hacker in many respects because what he would actually do is he was very nice to the people that he was robbing he would actually put gun barrels and bushes so that the people would think that there's additional people that were part of his gang when in reality was just him so in many respects this when we look at some of these retail breaches this I believe is just a continuation of this it's just

human instincts i believe it's human nature particularly when money is involved and I actually went back and I looked at Wells Fargo they actually had a corporate report where they actually looked at the actual cost of these these th code breaches so if we actually look the actual total losses of theft were around four hundred and fifteen thousand dollars but if you actually look at the actual rewards they paid which were a percentage of the actual what was stolen they had to pay a bounty for every one of those so long and they didn't just have a salary they actually got paid for when they actually captured these guys there were attorney fees other expenses

and oh there's also the salary of some guards that they had that were up on the stage coaches so the actual cost of you know going after these guys and in the security was actually more than the actual losses themselves does that sound familiar if we look at retail right now that was one of the driving forces behind this is that a lot of the retailer's they didn't see that there was added value and actually securing that information and that created this sort of insecure environment that allowed hackers to thrive you'll see here that train robberies were a little bit lower right so they went from stagecoaches to trains because that's what they started migrating to as the railroad started

getting built they stop relying on stage coaches it's a lot harder to rob a moving train it's a lot harder to stop it some people did but it was a lot more dangerous we're talking about the ROI increasing the ROI for the attacker making it more difficult for them to actually get at the good it's going to be increased rigs there's more risk of them getting caught killed or just stopping the speeding trains pretty difficult and it requires a large group of people to do the more people are involved the more likely you're going to get caught so so now we look at some of the retail retailers that were hit recently and there's quite a few big

ones I mean we've all seen target home depot a number of retailers were hit from a big and small and it seems like every month there's additional retailers that are actually still getting hit so how is this wouldn't we have learned right these retailers got hit and you know hey we're going to go change our infrastructure unfortunately it's not so easy a lot of these payment systems and payment gateways that have been set up require a massive financial resources hardware refreshes and also a lot of these retailers are actually focused now on the envy conversion so that's a big requirement unfortunately the EMV requirement isn't going to make the credit card situation go away it

actually doesn't decrease increase the security in any way well I will show how it decreases the demand for stolen credit cards but it's not going to make those credit cards more secure so we even saw that the the DHS actually are the US or actually sent out a number of alerts to retailers and you know it's really interesting when the US sir Sir getting involved and they start actually talking to these retailers that you need to start securing your stuff the Secret Service in particular has access to information around fraudulent credit cards they're able to actually detect these breaches usually before the retailers do and basically it's from identifying patterns of fraud from the transactions right they're able to

identify sort of the single point of commonality of where these transactions occurred and then they're able to identify not only what retailer was hit they can narrow down specifically to what store and even in some cases what specific system and I'll talk a little bit about how that works further down the road so we have PCI DSS right so that's going to save us from all these breaches unfortunately what we've actually seen is even if PCI DSS comes out with the different versions the number of reaches are actually increasing so a PCI DSS it's a check box basically when we talk about compliance that's something that we we have to do whereas security is something that we

should do so there's a big differentiator there unfortunately when we talk to people that are executives or people that are on boards you know the first thing they say is like well we're in compliance with PCI DSS what's the problem why aren't we secure and that's that's a real problem on finding particularly with executives explaining them the difference between compliance and security so MV is going to save us right not quite here's actual sistex around me MV when I was actually deployed and in Europe sure when it was adopted the amount of credit card fraud went down however it increased because the hackers found a way around it they found that they could actually bring

steal these credit cards and they could use them in different countries because these cosmic countries didn't have EMV and what happens when you don't when you have a credit card that doesn't support EMV goes back to the mag strip right so they're able to do that and then the credit card processor had to initiate other things around fraud to try to block some of that but still there they have this sort of cat and mouse game when it comes to the credit card fraud what it's done is actually it's decreased the actual value of the credit cards but it hasn't necessarily decreased the amount of credit cards that are out there the types of credit

card fraud is very different they can't go out and you create counterfeit cards as easily requires a little extra work however online fraud and things like that that is still going to be up come a problem so sort of understanding the the underlying sort of economy of how hackers work so this is sort of a rough example you know when the credit cards were stolen from target it's usually a criminal syndicate or a group that's specifically what they do they're targeting credit cards they will then sell those to a Carter so Carter's our deal in there's forums there's a number of these hidden services or hidden markets on tour well they'll actually sell the credit card numbers to

lower-level actors who are the Carters the Carters what they'll do is they'll try to turn those credit cards into for example a prepaid prepaid credit card or then they'll transfer that into a amazon gift card so why did they go through all these different steps the reason is because it takes a long time for these credit card companies and people like Amazon to catch up to what actually happened by the time they've actually figured out that hey this prepaid credit card was purchased with this stolen credit card and then that went to this Amazon there's a whole process that has to occur but it can be anywhere from several weeks to several months before that time is actually unveiled so the

retailers like Amazon the guys are missed on the prepaid credit cards they actually lose a lot of money of course it's all they get it back on insurance those credit cards are then used to to buy goods sold i buy them on Amazon they'll then ship those to someone who's sometimes a mule this is a whole other realm of fraud where these fraudsters will target may be a stay-at-home mom or someone who wants to work from home all you have to do is you're going to be you're going to be a shipping associate and what we're going to do is we're going to send all these packages to you and either they're going to send them

directly to another customer who's already purchased them through an underground market or they'll ship them up into a big box and they're going to ship off a bunch of stolen goods like phones and things like that outside the country in the problem with this too is that you know the police they figure this out they go to this house these people basically they're committing crimes that are not aware of it and sometimes they can even have a felony now on the record as a result of that and that's just goes to show that this isn't just about stolen credit arts there is an entire underlying economy in a process that this all goes through so if we actually look at some

of the underground markets you know there's a lot of services and tools that are actually available you have your initial access tool so deliver payloads automate exploitation you'll have exploit kits in zero days black POS for example was being sold for around two thousand dollars before was sort of made open source in the underground community because there's a whole drama around that and so there's there's also payload parts and features so you can actually pay people to customize that for a specific environment so people think you know the hacker so it's like one guy and someone's basement no this is a very organized criminal group they're they're highly organized highly specialized if anything they actually reflective a very

well run business in many respects so you also will have people that have you know a botnet or packers grip tears it's not uncommon for them to run it's like a denial of service attack against infrastructure to distract an IT team before they actually go in and target a point-of-sale system for example you'll also have additional payloads that'll have malicious behavior you know focus on destruction denial degradation deception there's a number of botnets that are out there actually available for lease or sale we've seen these used by these groups for exfiltration of the credit card data once they've actually gotten it it's very difficult than for law enforcement to trace where that went so you know we're mostly stolen credit

cards go do you guys know what country oh right you guys are good so so yeah there's also enabling of services so there's groups that will actually assist in finding the targets finding vulnerable hosts and what's really important too is that there's groups that they know how these systems operate sometimes they may even enlist people that worked an IT or asked someone that works 19 some of these companies some questions about how they're structured one thing I found to when I was doing research is that some of these retailers were doing case studies with very well-known security vendors or point-of-sale systems and then it would be very easy to identify specifically what systems they have in their

environments and it's I've even seen some cases where they actually full network architectural diagrams on the case studies of how the network is structured and how great this point of sale system works that's a bad idea if you work for a company and you have a security vendor that wants to you to do a case study be very suspect of that do it anonymously or ensure that you know your security team actually has a chance to audit that document because you can actually be exposing a lot of information I work for a security company and I see something I even advised to our customers even sometimes the marketing groups gets a little excited about case study just given the

nature of our business I feel it's more responsible to focus on their security so when we actually look at the credit cards a lot of these ones from target if we look at like Brian Krebs you did a lot of research on this it ended up in one specific market you're looking at about 2.8 million credit card numbers at about eight to twenty dollars each you know and these credit cards have a half life as soon as that been disclosed that they're part of a breach the banks are going to shut them down pretty quickly so these guys have to operate rather quickly I'm usually within two to three weeks those credit cards are no longer

valid I also found a lot of other places to buy credit cards not necessarily from mega breaches and actually there's ones that you can go and a lot of times in restaurants sometimes a waiter he'll have a little side business or sometimes you'll see it may gas stations as well with skimmers they'll actually store you know a few hundred credit cards but then they'll be able to sell those to people on the black market they're not going to become a millionaires but you know it's a little extra money in your pocket it's in so it's just something to be aware of they'll also target some smaller retailers particularly that we're looking at remote desktop we actually

saw in the northwest around Seattle Dairy Queen was hit and it was through a particular payment processor that wasn't secure in their infrastructure properly they want to every provide remote access to the service provider and the some of the IT folks in the organization but they didn't provide two-factor authentication and the password was really easy to brute force um and I'll kind of show some examples of that and see if you want to look I mean there's tons of onion site out there where you can buy the stolen credit card be careful about creating some of these accounts if you're in the security industry you know you can go out to look at them but don't purchase

anything from these websites even if you're tempted to there is a record of that and you're basically are committing a crime so when we actually look at some of these underground markets you know you have people that are sort of general members sort of this pyramid you have mules that can be you know they can be aware that they're committing a crime or unaware like with the the repacking fraud for example and there's sort of lower level and then you have sort of the Brender the vendors and the broker so people are they're actually the Carters are creating the forums they're actually selling these credit cards and then you have the people that are more

specialized they're writing the exploits the malware devs and what's really interesting about this is that you know the further you move up the food chain the more money is being made the further you're getting away from the actual crime so when we talk about a lot of the stuff these guys are actually basically operating you know with impunity in Russia and Eastern Europe you know the FBI and law enforcement have a lot of information they know who these guys are but the problem is there's not a lot of collaboration with with law enforcement on the other side and that's sort of helping to fuel this as well so you know hackers have you know that there's a lot

of job security right now in insecurity if you actually look at the the process that we're actually implementing for for EMV for example AMV we've we've already past the deadline right so everybody has their chip and pin right everyone's got their chip and pin card right so it's going to take it's going to take the retailer's at least another two years I believe before we're actually going to have a chip and pin and Canada you know Europe they've had this for years it's really amazing how long it's really taken us to get to get there and this is actually helping to drive this as well why why go target Europe whatever when the u.s. is still an easy target so in

many respects we've made ourselves an easy target I keep saying target sorry so here's an actual photo of some machinery that was actually picked up from a group that was actually doing making fraudulent credit cards it's you know making the fraudulent credit cards it's not easy I'm actually requires a lot of machinery in a high level of sophistication you know people always think that oh these people they steal identities they're all tweakers and things like that not necessarily it's a very well organized group and the machines that they have at their disposal are actually quite expensive just to give you guys an example you have your card encoder those aren't so hard to get yeah I i buy them on Amazon

I actually have one myself where we actually create a demo where we actually do a ram scraping demo and I run it on my computer you know getting a skimmer as well or an encoder that actually write the the information to the max trip the technology is incredibly old and there's machines out there that you can do it just off your computer then you have the embossing machine and that makes the those those cars look a little bit more legitimate my credit union they have give me a new debit card I get a new card every three to six months just because i'm paranoid but you know now they've got to the point where they

don't even emboss their cards there's just a flat card and it has a magic strip on it and that's it then you have the taping machine and those are a little expensive but that's what's actually going to put the nice little foil on it so if you're going to be in the you know creating fraudulent credit cards you really want to you know show your customers that's your your primo make sure you get a tipping machine make sure you have that magnetic foil and there to really make it look realistic and again you can buy these credit card encoders on Amazon you can buy them even on other sites you know you get the encoders as well so you know you can get

them for anywhere between ten dollars for a reader 150 bucks for an encoder and then if you look in undergrad markets too you'll find that there's a lot of stolen goods that are out there really cheap they're brand new like a new iphone or an imac that maybe you want to get for someone for Christmas the holidays are coming up so there's these carding stores and basically these are goods that have been acquired that process I was talking about where you get the prepaid cards and then you get the amazon gift card and then you know they get this the goods that are then shipped overseas or you know it could be shipped from someone else's house as well in the US

but you can go and you can get an iphone for half price it's brand new and this again this is to help drive a lot of the demand for these stolen credit cards so people that are actually buying these stolen goods there they're involved in this process as well so it's interesting is that you know we actually look at some of these breaches it takes around two hundred days before an actual intrusion is detected if it's detected at all a large number of the retailers that have been hit they didn't detect that they were breached they were told that they were breached because the credit card numbers were discovered through the fraudulent transactions so some cases they may discover it in two

hundred days but a lot can happen in two hundred days there's a lot of fraud that can be that can take place so you know if you don't have the right tools in place to actually detect a breach you know you're going to be in trouble because what's going to happen is you're going to be notified in one of two ways um you're going to be a mr. Krebs well he has a connection to a lot of bank fraud managers that actually disclosed some of this information when there is a breach there's there's a number of tools out there and all there's a 1 i'll talk about here in a bit that can provide our

service provider that can actually tell a retailer if they've been breached if their credit card numbers are are out there in the wild and also the secret service they have access to this information they have a direct funnel from the banks and the transactions where they can actually identify the the fraudulent transactions so you know then you know you you might find out that you know you've been breached because the CEO calls you in and wants to know why your company is on the front page of The Wall Street Journal right that seems to be when the exact is really seem to care is when there is some sort of impact to the brand and you know no one wants to

be in that situation when we see target for example basically it was a complete option of the entire c-suite people lost their jobs right and now finally executives and boards are actually paying attention to this retailers mega retailers in particular they're actually focusing a lot more on security but unfortunately it takes mega breaches like this for them to actually to move so how do we actually detect you know that there's a better breach if we don't have if we don't have the tools in place we can't detect that there's been a breach in our environment so how is it's the secret service or bank fraud managers actually identify it that there's been a compromise so normally

what happens is when there's there's around two percent of the credit cards that are out there will actually be used in a fraudulent transaction so people are shopping at you know your local grocery store in general two percent of those transactions those credit card numbers we found at some point to be fraudulent so that's sort of the background noise that's sort of where we've established our base line once they start to see that that number rises to that's all right to like five percent then things start to get a little suspicious when it gets up to ten percent houston we have a problem twenty-five percent we've been breached something's happened here this is when you're going to get the call from the

Secret Service or someone on creb side he'll notify him that there's there's some sort of anomalous activity happening here so the way this works is if we look at a map I'm down here in the corner here let's say there's all these transactions that are happening if all of a sudden they start to see that there's a lot of fraudulent transactions usually in another state or another area of the country you know those are all going to throw a bunch of red flags and on this process can take anywhere from you know a few weeks to several months if we actually look at the actual credit card transactions fraudulent credit card transactions by region is a really great

map this was actually enemy by a group called ripple shot and they actually have access to this information they're actually able to identify you can actually as a retailer you can subscribe to their service and they will actually tell you before the Secret Service does recur that yeah you guys have a problem we're seeing stolen credit cards you know they came from your store and you need to do something about it would really need is I got to look at some of their technology not only are they able to tell you specifically what retailer they'll tell you what store even to what system specifically was actually compromised so that can be a nice thing you you've already been breached you

know maybe get you'll get a week or two ahead way before this actually gets announced out into the press so this is a in actual losses associated with one of the I won't say which one but one of the mega retailer breaches before there was actually any indication that they were a breach or any notification there were roughly two billion dollars worth of transactions that actually occurred with those credit cards so yeah so who pays for that like two billion dollars right they just write that off no we all pay for that because we get increased credit card fees and transactions the retailer's have to increase their their prices as well so there's a lot of money

that's being lost as a result of this and you know we as taxpayers as well will pay for that so then we want to know you know how how are these retailers actually being hacked the first one is rdp so remote desktop this is this is low-hanging fruit for a lot of hackers I actually run a quick scan and within about 10 seconds I found just randomly about 1,200 systems with open rdp ports and you can scan the entire internet within a few hours I turn this off quickly because I don't want to piss anyone off but everyone is basically being scanned all the time I mean we know that if you anyone's has IDs you're

looking to your logs you know you put a system up and you're immediately scanned you know within 10 minutes they're always looking for open ports like this and with rdp is really easy to do brute force because there's some issues around that so bad passwords are really bad a lot of the smaller retailers in particular are very guilty of this they won't have a good password they won't have count lockout it's not enabled by default for for remote desktop it is an option but most people don't have that enabled there's also two factor authentication it requires additional third-party tools to actually implement that again that's gonna be a cost it's convenient convenience you know why

bother and then there's this tool here it's a it actually will brute force if you find it open rdp port it'll brute force it it's pretty powerful actually we'll find a password rather quickly and then I actually found when i was thinking around in these underground market so i actually found a number of rdp accounts that were actually for sale in these underground markets so if you're you're lazy you don't want to do the scans you don't want to do the brute force yourself again their services you can go out and find that for and some of these guys will even do the work for you they'll even tell you what specifically what retailer it is they'll gather all

the information for you and then basically just hand you the keys of the kingdom again you can then also hire someone to write them out were for you to compromise those systems usually I these rdp systems when we want people RDP into it they're going to be used for command and control use them to be part of a botnet to do distributed not all service attacks things like that but a lot of times they'll go in and they'll find that this is actually a point-of-sale system and then it's just a bonus at that point so then if we actually look at the kill chain and actually how these how these uh these criminals actually function from what I

found they do a lot of research on the organization before they even touch the network they do a lot of passive reconnaissance I got permission from one customer to actually do something similar where the whole thing was I'm not allowed to touch the network at all I started with infrastructure just not doing some things for DNS things like that and then I got really creative and I started mining social profiles linkedin is awesome if you want to know what kind of technology a company has look at their their job postings mind their LinkedIn profiles of their system administrators I was able to eat a lot of information i actually gave them about a 200-page report of all the

information i found and scared the crap out of them they're like well how do you know this you we say you're not allowed to touch the network and I'm like well you you have a bunch of people actually in your company that are looking for jobs you know I didn't reach out to them directly but I could get more information from them but I was able to go through their profiles and identify what they specialize in and you know it's very simple from there so they do a lot of research not just on you know the employees and the infrastructure they'll they'll do a lot on understanding who your business partners are some of these environments

are very secure and so sometimes the best way in is through a trusted partner we saw this with target right so through their HVAC vendor no they didn't go into the HVAC system not any sort of like a mission impossible thing through the events what they did was they gave them access to a billing system and and it just happened to be that they didn't segment some of their network properly so by the hackers actually getting access to those credentials and logging into the billing system they are able to get into the payment systems and the point-of-sale devices as well so and also they'll still rely on good ol exploits so there's always vulnerabilities within your

infrastructure you know we do a lot with vulnerability management sometimes a lot of companies even small companies they think yeah we ran our vulnerability scan we were in Nessus about you know about six months ago didn't find anything a lot changes in six months a lot changes within two hours especially especially nowadays when we start seeing zero-day vulnerabilities like heartbleed things like that and they're popping up pretty regularly sorry I show you got some water so so always be on the lookout for that as well so once they actually get in you know it can be through remote desktop it can be through a fishing campaign through a trust business partner or an exploit you know they're

going to get inside and the first thing they're going to start doing is identifying vulnerabilities within the network a lot of times people focus a lot on secure in their perimeter not so much when they get in the inside it's it's sort of like an orange it's like maybe a little bit harder on the outside but once you get inside it's nice and soft and squishy they're gonna target and they're going to look critical assets things they want to target or going to be active directory any sort of network applications and then a patch server for example in some of the breaches we've seen they've actually targeted the patch server that the point-of-sale systems were actually

getting their firmware from so you don't need to go out and compromise each one of those individual point-of-sale systems all you need to do is compromise the patch system you get your firmware which went in there with some malware on it and you can easily quickly deploy that not just do a few point-of-sale systems a lot of these have a centralized system where they'll have one data center that all the stores will then go to and download the firmware to a server on that's in the store and then from there around two to three o'clock in the morning then they obviously deploy that out to the systems and this whole process is automated so and

there's there's some stuff around signatures and things like that but it's breezy to spoof but there's no sort of manual process that's in there there's no one really observing that process as it occurs particularly around two of three o'clock in the morning so that's what we've seen with some of these mega retailer breaches where they're actually able to very easily deploy their point of selling our to these devices from there they're able to exfiltrate credit card data depending on the type of malware I'll kind of go through and some details here shortly but then they're able to exfiltrate those credit cards they'll usually then load it to another service they've compromised in the environment and then very carefully very

carefully they will exfiltrate that out through a series of different servers to sort of hide their tracks and once this happens once the cards of an actual trader from the organization that's the point of no return once they've left the building you've been breached and you either didn't have the tools in place to detect that something was going wrong or you know you're going to hear about this from the secret service or mr. Krebs so we want to look at some attack vectors for these point sale systems so even a system or an environment that's you know fully compliant with PCI DSS they're still weak points so kind of going back to Black Bart right he knew how those

the the systems operated oh thank you so much just second sorry so he knew where those systems operated and he knew where to stop those stagecoaches where he wouldn't get caught where they're isolated and alone and it's the same thing when we talk about hacking point-of-sale there's places within these environments where we can actually get and grab credit card information particularly because most of the retailers in the u.s. haven't focused on point to point encryption which I'll discuss a little bit later on with target the the US stores were hit you know there's also target in Canada and they weren't hit do you guys know why they had point to point encryption installed on those devices so the

malware in that particular case wouldn't function properly so there's I'm not saying you're going to be one hundred percent secure but you're again you're going to increase the risk in the cost the attacker to go after that type of environment so if we actually look specifically the data in memory that's where the point-of-sale malware is really targeted is where it's really thrived in all these mega retail breaches a lot of these organizations they will encrypt information between you know the device and maybe a payment gateway a lot of times they actually won't have the information encrypted within the store and the environment which I'll talk about as well but if they even if they are encrypting that

information you can still easily extract that out of ram and if we look at some of the versions of of the point-of-sale malware there's a number of them out there they've evolved they become more sophisticated over time you know the the most popular ones been black POS and there's even more sophisticated versions like Lucy POS there's even versions that you know open up tour connections there's all sorts of really interesting things that they're actually doing with this malware sometimes I'm just sort of amazed at how technical some of these guys are it's pretty amazing some this malware that they've actually written so if we actually look at the point-of-sale the weak points the places we want to

look for credit card information if you're an attacker is going to be on the network in RAM or on the disk those are the three core places we want to look so I find a lot of organizations well actually they won't encrypt the credit card information within the organization and PCI DSS did not require that what they required was you to encrypt the credit card information between the merchant and the actual payment processor within that environment you can still not encrypt it have credit cards in plain text and you're fully compliant so again compliance doesn't mean security as an attacker it's very easy to go in and sniff that network traffic if I get in I don't even have to

install malware there's a number of tools I can actually get access to that are actually on some of these servers or I can actually sniff some of this information look for that credit card information and actual trade it very easily there's a number of pieces of malware that will also look for that on the network they'll look for any sort of credit card anything that looks like a credit card information it'll write it out to a file and then you know exfiltrate that from the organization but then we want to get more sophisticated right so some of these organizations they're actually encrypting that data so ram scraping is as the next way to go in the way it

works is you know credit card gets swiped that credit card number is actually put in memory before it's even transmitted or encrypted anywhere you can see here sorry it's kind of tiny but you can see what the actual credit card number is actually in there it's really easy actually to grab and then we can go in and we can then download that to a file I've actually we did a demo where we actually have some sort of point of sale malware we worked on in-house we have a demo if you guys are interested I'm more than happy to share that with you I didn't put it up on a public website but we have one for looking at

credit cards in RAM a credit card on the network as well as on disk so they're just a little utilities you can run on a simulated point-of-sale device if anyone works in retail and you want to scare the crap out of you know your boss your executives to show how easy it is it's a really good way to do it sometimes just actually showing the real demo and how it works is something that kind of gets your point across a little better than just simply saying you don't to be the next target and then from there you know we want to exfiltrate the the the data to a remote server so you know what can

we do to mitigate some of this some of these the point of sale malware so when we look at security control responsibility for PCI DSS you know a lot of it you know is with the merchant however you know we actually look at things like point-of-sale like the RAM scraping malware in reality there wasn't really any way for retailers to identify that that was happening and so that really isn't covered under under PCI DSS sorry it's really tiny can you guys read that but i'll share my slides here but if you actually look at data in transit the local communication communication between the devices in the point of sale system you know these are not mandatory

and then communication to processors you know there's a requirement to encrypt information between the store and then the actual payment processor but not within the store itself you know this is evolving you know pci is trying to catch up but it seems like every time you know for how long it takes to get you know new requirements around PCI the hackers are already like ten steps ahead you know as we've seen as the PCI is evolved we've actually seen an increase in in retail breaches in though if we actually look at the environments when we actually look at the kill chain like we had before the first thing people should be doing is you know hardening your

configurations you know XS SS your perimeter for vulnerabilities again don't just run vulnerability scans you actually need a full vulnerability management solution there's a number of commercial products out there you can you know jerry-rig something using open source but it needs to be a continuous process where you're constantly monitoring for those vulnerabilities identify and prioritize and remediate those vulnerabilities quickly that's a big problem for a lot of organizations is actually the workflow around you know you know how to actually go out and remediate those vulnerabilities I see a number of organizations that get reports from a third party that they paid for here's all the vulnerabilities go fix it and you know they don't really know

which ones to fix first and then we want to go in through and continues to monitor for file changes we want to identify any sort of internal indicators to compromise you know though there's like file hashes things like that for malware usually if you start seeing that you know your systems are communicating with an IP address as a communicate with before that might be some an indicator as well if you actually start seeing credit cards in your environment you'd be sniffing for that if you actually see credit cards that are being transmitted across the network in plain text or otherwise you want to be able to identify that as well you also want to look for sort of large files that are

being created on a server for example it may be a big encrypted blob that may be the only thing that you see that's actually any sort of indicator that you've been compromised something's actually becoming more sophisticated they're not just storing the credit cards in a plain text file on there actually encrypting it so that they're trying to so they don't get detected another is to focus on the the network function and in segmentation of the payment systems number of retailers they'll actually have their payment systems on the same network as the rest of the business luckily most retailers have gotten smart now and they're there they're segmenting their networks but I swear sometimes you find one system

that's on both in you just slap your forehead shake your head wonder why and then of course the a good thing that really focused on is point to point encryption this is very different from end to end encryption point to point encryption will actually encrypt information the credit card data actually in memory so even if they do X we'll treat that with point install malware they still don't have any use for it I'm am seeing a possibility for some our to circumvent some of that but it's actually finding vulnerabilities some in some of the point-to-point in point software so it's not as easy to implement as some of the other attacks so focusing more on the point to point

encryption I think is going to go a long ways and actually protecting these organizations we're seeing a lot of retailers that are actually doing that but the problem with this is that there's a high cost to do this they have to rip out all the existing hardware but all the back and has to be overworked I was thinking you know we have to change our hardware for EMV anyway so wouldn't be a good idea to sort of you know kill two birds with one stone unfortunately not a lot of organizations are not savvy there I'm going to do EMV first they're going to wait and see how that goes and then they're going to look at actually

deploying point to point encryption and it's going to take a long time for us to actually see that sort of migration actually occur also you know focus better on n point monitoring as well as what's happening on the network you want to monitor for anything that looks like a credit card on the file system or even encrypted blob you want to look for any new binaries or change configuration files you know simple end point detection of detecting new binaries or configuration change that would have actually stopped a lot of these breaches about a lot of these folks they weren't actually monitoring those point-of-sale endpoints and that's been a challenge because some of these systems they can't

really have a full-fledged agent that are running on them because of system requirements tripwire does have one just saying sorry they just paid for my trip here thanks so but uh there are other tools out there that are focusing more on on the point of sale and they're getting more sophisticated to not just monitoring things for change configuration changes things like that but actually looking at processes which is really really slick and there's even things will actually automate there's something strange it'll automatically do a dump of memory and you can send that out to your incident response team so the more you can automate that process and the monitoring of those endpoints the more secure going to be you know EMV

I think it's it's a great shift I think it's going to be a good thing for the industry but it's important to realize that it doesn't actually provide security for any sort of online transactions so credit cards can still be used fraudulently online luckily some of the fraud protections there are becoming more sophisticated as well a lot of friends that are in the industry you know EMV it does not actually still require data encryption so it's still good to utilize the point to point encryption in those environments EMV cards they still have the magic strip for fallback processing so that could be an attack to is like compromised the system so that the chip and pin doesn't

work and it defaults back to the max trip so they're not going to shut a store down because the chip and pin doesn't work if they have to do max trip they will so just something to think about if you're an attacker so the card data can still be stolen EMV vulnerabilities they're going to be exploited there have been some security research around this already targeting some of those systems again it's gonna be more around vulnerabilities in the end point software in particular but just something to be aware of that you know even when you deploy these systems you still have to monitor those systems for vulnerabilities and ensure that you have a patent system and

process and in your processes it's going to decrease the value of credit card data it's going to decrease the demand for it but it's not going to impact the supply still going to be very easy to still steal that credit card information particularly from some of these organizations that aren't encrypting it I did a joint webcast with my friend Slava gums in we've done a lot of stuff on retail a tripwire I actually was able to get a sample chapter it's actually the best chapter of the entire book it's amazing it's a payment application architecture and vulnerabilities sorry about the tinyurl there's a QR code if you trust me but so feel free to download that sorry you have to fill out

like a lead form put gibberish information in there don't tell marketing I said that but you'll download that and it's a really good intro to some of the challenges of secure in these environments and what retailers can do to actually protect themselves and with that I guess I have a little bit of time for questions but I'm sure if you guys have any I'm also going to be here for the next few days so if you want come and talk to me we're happy to yeah

yeah that's like a whole nother presentation but so I used to work for a company called occupation and that's what they they focused on and a lot of that was you know a lot of this gets put on the merchants themselves and so they they actually lose a lot of money from that and so they actually have this really intelligent system where they do like device identification they're able to see that hey this system has been known to you know deal in crystal and credit cards things like that it was actually just an issue with vistaprint I'm not sure if you guys are familiar with that there was a bunch of like wire fraud scams were coming out of it

because they were offering like a free month of service a free website so you could register a domain you get a free website for email and so people were registering similar domains to other companies and then they'd be sending this very sophisticated fishing phishing emails to the hey this is Julie from accounting can you wire this money to this account for you know paying this bill and it was all using stolen credit cards and it was because vistaprint was not requiring the security code and they weren't even at requiring the expiration so these guys would get like basically 30 days you know before they would even figure out that it was a stolen credit card you already sell the domain

registered so you still have the domain for another two months so you can do this whole sophisticated scam but once they actually started getting this fraud then they actually implemented some of those security controls but still there still people are still using that free 30-day window just it's not as easy but there's all sorts of scams like that but it's usually going to be more on the the retailer themselves that are going to be implementing some of these fraud protection technologies I see a lot of times for stolen credit cards too you know these guys that are selling the stolen credit cards are really focused on customer service they want you to succeed in your fraud and so what

they'll do is they'll actually give you proxies as well so you know a lot of fraud detection they'll actually say hey that credit card number you know you you're not in Oregon and so will actually give you is like this credit card belonged to someone that was stolen in Oregon here's their address and here's a proxy in Oregon so that it looks like you're actually doing that transaction from Oregon and if that credit card doesn't work you know they're going to give you a new credit card number with another proxy so they're going to make sure that you succeed so customer service is number one and underground markets yeah in the back there is both so I've seen it in

both cases so I the initial versions are it does have a pioneering it does have a signature and it does modify some of the system configurations but I am starting to see some that runs directly in RAM and actually just the other day I talked to a security researcher group and they were actually creating malware on the fly from existing code that's running on the system so you know these guys are brilliant they're out of university of texas really smart guys so i'm guessing that we'll see this in the criminal underground you know probably within the next year or so so the tools you actually have deployed think about what access they have if they're running as

root stew sadman things like that even security tools themselves will become targets for some of this malware so just something to consider yes not so much i think you know i haven't seen any Mao has been targeting them it's Pickler like like muscles are running on iPads things like that I haven't really seen too many the scams I have seen are people that are running those off of separate skimmers a little store the card numbers you know on you know on a file system or something like that but that's usually a smaller type of scam it's very similar to what you'll see in a restaurant when the waiter takes the car and he goes and swipes it on his own

his skimmer but those are the long types of systems I've actually seen that on so far but I don't know if anyone else has seen anything like that I be be happy to talk to you I'd be curious about that yeah in the back

you talked about like dark sites and tour how much information are the the people that steal the information giving like are they giving away IP addresses blocks or company names for free and can you just start scraping those over have you seen companies scraping those and trying to fix things before yeah it uh it varies most the time is going to be bulk data but there are specialized guys you can actually go to where you know it's sort of like how you can get fulls you know guys what fools are like when you get the full identity of someone not just credit card number also their address things like that it can be also the same thing for a company where

there's all sorts of data that's out there that's been breached in these underground markets and some of these guys would be sort of brokers in the logo and say yeah we're targeting this one company hey or this IP range do you have any can you go out and find this information for us so this sort of like a sort of like the research librarian that you have like in college things like that to help you do your research there's groups and of people that'll actually help you conduct that reconnaissance and then provide those reports for you a lot of so a lot of the bank fraud managers are actually buying stolen credit cards and some of these

underground markets they'll buy them in batches and just to see you know what store that's coming from so they are you know they're they're not buying a lot of them but they're buying enough to get a sample to identify a potential breach and they are getting more savvy and they are monitoring some of these groups Secret Service as well and they're looking for some of that information but the problem with that is that you know these services get spun up they know they come down the average life for some of these marketplaces anywhere from you know a couple of months to a few weeks so yes

so that's a political battle with some of the retailers and yeah the chip and signature doesn't do a whole heck of a lot the pin actually helps with the encryption especially if you're looking at point to point encryption it's sort of similar how to like the pins codes work for your ATM card or using your debit card and that's sort of a battle is happening within the industry versus the banks right now you know I think they're doing chip and signature to start but it's it's really frustrating it's like if you're going to do Chip and PIN do Chip and PIN don't do this this half-assed thing and that's why we keep running these sorts of hurdles in these

troubles with you know getting compromised hackers are aware of that they're going to find vulnerabilities are going to find ways of taking advantage of it so right now it's a battle with the industry okay and I think I'm done if you have any questions you know I'm going to be around for the next couple days so thank you